[Bug 1166743] New: /etc/subuid and /etc/subgid entries are not created for yast created users, unlike useradd
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 Bug ID: 1166743 Summary: /etc/subuid and /etc/subgid entries are not created for yast created users, unlike useradd Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: katharine.chui@gmail.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Installation image used: openSUSE-Tumbleweed-DVD-x86_64-Snapshot20200312-Media.iso /etc/subuid and /etc/subgid entries are required for non privileged podman to work as described in https://bugzilla.opensuse.org/show_bug.cgi?id=1137059 However users added with yast2 during install and after install lacks the required entries Meanwhile, command line utility `useradd` creates those entries, introducing inconsistency Steps to reproduce: 1. Install openSuse Tumbleweed, creating the first user `with_installer` 2. `with_installer:100000:65536` should be added to /etc/subuid and /etc/subgid after installation, however that is currently not the observed behavior 3. Create a new user `with_yast` with YaST2, `with_yast:100000:65536` should be added to /etc/subuid and /etc/subgid, however that is currently not the observed behavior 4. Create a new user with `useradd -m new_user`, /etc/subuid and /etc/subgid is created with entry `new_user:100000:65536` Workaround for non privileged podman with YaST2 created users: add line `USERNAME:100000:65536` to /etc/subuid and /etc/subgid -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 Katharine Chui <katharine.chui@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|/etc/subuid and /etc/subgid |/etc/subuid and /etc/subgid |entries are not created for |entries are not created for |yast created users, unlike |YaST2 created users, unlike |useradd |useradd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 http://bugzilla.opensuse.org/show_bug.cgi?id=1166743#c2 Attila Pinter <adathor@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adathor@opensuse.org --- Comment #2 from Attila Pinter <adathor@opensuse.org> --- This issue came up yesterday/today on the MicroOS group on Telegram and we did some testing. 1. Installed MicroOS server (not container host), no user is created only root. Steps after the installation was finished: Installed `podman`, added a user with `useradd -m test -s /bin/bash` and `/etc/subuid` and `/etc/subgid` got filled with the correct user namespace values. 2. Installed MicroOS Desktop Gnome, user is being created by YaST during the installation. Steps after the installation was finished: Reinstalled `podman` with pkcon, the user that was created by YaST during installation didn't get updated in `/etc/subuid` and `/etc/subgid`. Added a user with `useradd -m test -s /bin/bash` and `/etc/subuid` and `/etc/subgid` got filled with the correct user namespace values. 3. Installed Tumbleweed XFCE desktop, user is being created by YaST. Steps after the installation was finished: Installed `podman` with `zypper`, the user that was created by YaST during installation didn't get updated in `/etc/subuid` and `/etc/subgid`. Added a user with `useradd -m test -s /bin/bash` and `/etc/subuid` and `/etc/subgid` got filled with the correct user namespace values. However, added a user with `YaST2>Security and Users>User and Group management` and the `subuid/subgid` files has not been updated. 4. Installed Fedora 34 KDE spin, user is being create by Anaconda: Installed `podman` with `dnf`, the `subuid/subgid` files has been updated and user namespace has been enabled. From our primitive tests it looks like that the way YaST is creating users is not being picked up by `shadow` or `podman` or whatever handles subuid/subgid - sorry, but not sure what is responsible updating the user namespaces -. Hope this helps a little. (The test started here, cli outputs and some additional context is available if required: https://t.me/openSUSE_MicroOS_Desktop/9750) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 Dario Faggioli <dfaggioli@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dfaggioli@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 http://bugzilla.opensuse.org/show_bug.cgi?id=1166743#c3 --- Comment #3 from Attila Pinter <adathor@opensuse.org> --- After digging around a little more it seems to be clear that shadow-utils is managing this and there is also libsubid for managing subids with other programs. IMO this is something to be fixed in YaST. https://github.com/shadow-maint/shadow/pull/250 https://github.com/shadow-maint/shadow/pull/345 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 http://bugzilla.opensuse.org/show_bug.cgi?id=1166743#c5 --- Comment #5 from Dario Faggioli <dfaggioli@suse.com> --- (In reply to Ancor Gonzalez Sosa from comment #4)
This is a known issue (also reported as bug#1185342 and demanded via a SUSE feature request) caused by the fact that YaST does not rely on useradd to create users. That has also produced other problems in the past, like differences in how the skel directories are used (bug#1183136 and bug#1179261), and may cause more problems in the future.
To fix that, we are reimplementing part of the user management in YaST to rely on useradd. That new implementation will land into Tumbleweed soon, but only affecting users created during (auto)installation.
Ok, thanks for the heads-up. This is great to hear.
Users created with YaST after the installation will still use the old code that doesn't handle subids for some more time. That means...
2. Installed MicroOS Desktop Gnome, user is being created by YaST during the installation. [...] the user that was created by YaST during installation didn't get updated in `/etc/subuid` and `/etc/subgid`.
That should get fixed after the upcoming changes are merged into Tumbleweed soon.
Well ideally, of course, we'd like everything fixed. However, from the MicroOS (Desktop) angle, fixing this for the user created during install is going to pretty good already. In fact, in MicroOS, YaST is not even installed, so we don't expect more users to be created with the YaST Users module at any later point than install. On the other hand, having the user created during install have the subuids set by default would allow rootless podman (and hence toolbox) to just work out of the box, which is really key on MicroOS (Desktop). So, yeah, thanks again and looking forward to it! :-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 Han Hui Teoh <teohhanhui@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |teohhanhui@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 http://bugzilla.opensuse.org/show_bug.cgi?id=1166743#c30 S. B. <sb56637@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sb56637@gmail.com --- Comment #30 from S. B. <sb56637@gmail.com> --- Hi there, I'm glad to see this is being worked on. Would it also be possible to make YaST Users respect the GROUPS= parameter in /etc/default/useradd ? Or should I open a new feature request for this? Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1166743 http://bugzilla.opensuse.org/show_bug.cgi?id=1166743#c31 --- Comment #31 from Ancor Gonzalez Sosa <ancor@suse.com> --- (In reply to S. B. from comment #30)
Hi there, I'm glad to see this is being worked on. Would it also be possible to make YaST Users respect the GROUPS= parameter in /etc/default/useradd ? Or should I open a new feature request for this? Thanks!
Quite the opposite. We intentionally modified YaST to stop honoring that parameter. The goal was to align useradd and YaST as much as possible, with YaST basically just invoking useradd to do the real job of creating users. And useradd has completely ignored the GROUPS= parameter in /etc/default/useradd for years (the last version that honored it was the one in openSUSE 11.3). So now YaST ignores the GROUPS= settings just like useradd does. That's on purpose. -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com